Merb OpenID Consumer Application Based on Merb-Auth

We’ve been playing around with OpenID this week so I figured it was worth spending some time to test the latest Merb 1.0 release candidate.

Say hello to the merb-openid-example. It is a simple OpenID consumer application based on merb-auth. One of merb-auth’s built in strategies is OpenID, getting things going is simply a matter of enabling the appropriate authentication strategies.

This application is intended to run against merb 0.9.12(1.0rc4). Here’s a quick checklist of what was involved in getting merb-auth working with the OpenID strategy.

  • sudo gem install merb
  • setup the merb-auth strategy
  • add the openid and signup named routes
  • modify the user model to handle OpenID attributes
  • add the ensure_authenticated before filter

To setup Merb I normally uninstall every trace of Merb that’s on my system. The 0.9.x branches tend to conflict if you have multiple Merb versions installed. I tend to do the following (note it uninstalls ALL Merb gems):

gem list merb | awk '{print $1}' | xargs sudo gem uninstall -aI

Then I just install the Merb meta package:

sudo gem install merb

Setting up the merb-auth strategy requires you to familiarize yourself with the merb/merb-auth/strategies.rb file. In a newly generated Merb application this file should setup a salted password base authentication scheme, we want to change it so it looks like the following:

Next we need to setup two named routes that the openid auth strategy will use in order to make the openid authentication happen. I created a separate controller(authentication.rb) to handle these requirements. All you really need to know about the two named routes, openid and signup, is that signup should not require authentication and the openid route should.

The default user.rb that you get from merb-gen will need a few minor adjustments to work with OpenID. First you’ll have to add a few attributes if you intend to cache them locally, and after that you’ll need to disable the password validations that are automatically enabled by the salted password strategy (even if you disabled it). My user.rb looks like this.

Once all that’s done you should be able to just throw the before filter into your application.rb and you’ll be ready to start using merb-auth with the OpenID strategy.

The example application works out of the box, just run the merb command. It also has specs which show off a bug that still exists in rc4 where controllers are not honoring :only/:exclude parameters that are passed to before filters.

I’d like for this to remain a simple app that we can keep as a community example. If this gets out of date please fork it and send me a pull request on GitHub.